DOC PREVIEW
UNCW MSA 516 - EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS

This preview shows page 1-2 out of 6 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

IS AUDITING GUIDELINE EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS Document G16 Introduction The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association, Inc. (ISACA) is to advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives The objectives of the ISACA IS Auditing Standards are to inform:  IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors  Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Scope and Authority of IS Auditing Standards The framework for the ISACA IS Auditing Standards provides multiple levels of guidance:  Standards define mandatory requirements for IS auditing and reporting.  Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.  Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The words audit and review are used interchangeably. Holders of the Certified Information Systems Auditor (CISA®) designation are to comply with IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Development of Standards, Guidelines and Procedures The ISACA Standards Board is committed to wide consultation in the preparation of IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an on-going development programme, and would welcome the input of members of the ISACA and holders of the CISA designation and other interested parties to identify emerging issues requiring new standards products. Any suggestions should be e-mailed ([email protected]), faxed (+1.847.253.1443) or mailed (address at the end of guideline) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This material was issued on 1 November 2001. Information Systems Audit and Control Association 2001-2002 STANDARDS BOARD Chair, Claudio Cilli, CISA, Ph.D. KPMG, Italy Claude Carter, CISA, CA Office of the Auditor General of Nova Scotia, Canada Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay Alonso Hernandez, CISA, ROAC Colegio Economistas, Spain Marcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, Argentina Andrew MacLeod, CISA, FCPA, MACS, PCP, MIIA Brisbane City Council, Australia Peter Niblett, CISA, CA, MIIA, CPA Day Neilson, Australia Venkatakrishnan Vatsaraman, CISA, ACA, AICWA Emirates Airlines, United Arab Emirates Sander S. Wechsler, CISA, CPA Ernst & Young, USAPage 2 of 6 Effect of Third Parties on an Organisation’s IT Controls Guideline Version I 1.0 1. BACKGROUND 1.1. Linkage to ISACA Standards 1.1.1. Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and to comply with applicable professional auditing standards.” 1.1.2. Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor is to obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.” 1.2. Definitions 1.2.1. ISP—Internet service provider: A third party that provides organisations with a variety of Internet, and Internet-related services 1.2.2 ASP/MSP—application or managed service provider: A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network. 1.2.3. BSP—business service provider: An ASP that also provides outsourcing of business processes such as payment processing, sales order processing and application development. 1.2.4. In this guideline, ISP’s, ASP/MSP’s and BSP’s are collectively referred to as third parties. Third parties covered under this guideline include any organisation that is separate from the organisation (such as shared service organisations) whether legally separate or not. 1.3. Guideline Application 1.3.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA guidelines. 1.4. Need for Guideline 1.4.1 This guideline sets out how the IS auditor should comply with the ISACA Standards and COBIT when assessing the effect a third party has on an organisation’s information system controls and related control objectives. 1.4.2 This guideline is not intended to provide guidance on how IS auditor’s report on third-party provider controls in accordance with other standard setting entities. 2. ROLE OF THIRD-PARTY SERVICE PROVIDERS 2.1. Services of Third-party Providers 2.1.1 Organisations are using the


View Full Document

UNCW MSA 516 - EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS

Documents in this Course
Load more
Download EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view EFFECT OF THIRD PARTIES ON AN ORGANISATION’S IT CONTROLS 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?